alt Hacker NewsWhat do you mean by “trust cloud trail”
So cloud trail shows the compromised account logging into an EC2 instance every day like normal.
Then service account credentials are used to access user data in S3.
How does cloud trail indicate the compromised credentials were used to access the customer data in S3?
If you have data events enabled for your S3 bucket, CloudTrail will log every access to that bucket along with the identity of the principal used to access it. https://docs.aws.amazon.com/awscloudtrail/latest/userguide/l...